[gkya]

I'll guess, totally uninformedly, that most PC users' data/privacy gets breached because of their use of insecure third party services and/or their insecure use of third party services. That is, their credentials get stolen, the databases of the services they use are leaked and the service is late to realise the attack, they do not sanitise input and pass it directly to the database, etc... If my guess is correct, then using OpenBSD or GNU/Linux or MSDOS won't help, the users need to be informed and educated on how to securely use the online services. We already have the infrastructure: public schools. A couple hours on a week for a semester can be spared for a personal computing security lesson.

I really doubt the actual effect of using OpenBSD or whatnot on a PC users' security. It is a clean and beautiful OS, and if I wasn't blocked by hardware (ath5k, Atheros ARBXB63 on Asus X51RL, help appreciated) I'd use it (I use FreeBSD and I love love love it), but I don't think, as a PC user, it is necessarily considerably more safe in practice than a well-built Linux distro. _Server is another story though_.

[nickpsecurity]

You are totally ignoring the malware problem that's been going on for quite some time. All those botnets with hundreds of thousands of computers started as flaws in the OS or applications. Something like OpenBSD will definitely reduce the amount of those. High-assurance security platforms that address root causes with rigorous analysis reduce it to almost nothing. Usually new attack classes discovered to breach those.

So, yes, configurations and sharing will still be a problem compromising many users. But, no, the malware problem would be greatly reduced. That everything else is built on top of that integrity guarantee makes it the most important. Then, users can choose what they share, how they configure, and so on from there. Also, systems can be designed without need to share secrets to operate. Systems can also be largely self-configuring. We've seen both in market and FOSS. So, it's common issue but not inherent.

[gkya]

My intuition was that malware attacks were less prominent nowadays. I certainly cannot and will not deny the advantage of OpenBSD in front of malware, and I also cannot and do not ignore botnets, keyloggers, various code injection attacks, etc., but I believe nowadays what's at the highest risk is what we store on others' disks, i.e. the cloud, and what the commoners do, like emailing passwords in cleartext, using clumsy inept passwords, not caring about https, not knowing that one has to block JavaScript, etc. Aren't these more easily exploitable in practice than say a stack overflow somewhere in my programs (not a rhetoric question)? Though I'm no security expert. But I know that it's easier to get the bucks of a 50-year-old first-time-internet-user who's heartly disposed to enter their Gmail password to any box with a Password: label. I know many of them. To many the URL bar is linenoise. "bank.com.hackersdomain.tk"? Some cryptic crap, I don't know what it is, it looks like my bank.

The morale is an ignorant user can easily be exploited even on OpenBSD, while a security-savvy user can secure himself even on an insecure OS. Thing is, the former is way more prominent, they're in billions. I don't dismiss advantages to secure OSs, but say that the more important problem is inept users.

[nickpsecurity]

"My intuition was that malware attacks were less prominent nowadays."

They are and they aren't. What you're seeing is a combination of economics and improvements in software quality. Economics says they focus on whatever gets them the most zombified PC's since competition drives prices of each individual PC down in black market. To get this, they target apps with most widespread use. This is why almost all 0-days were found in Windows, IE, Firefox, Java, Adobe Acrobat, etc.

Microsoft's SDL & QA tools did them a 180 on code quality. Low-hanging fruit in major apps might be drying up because so many bugs were found. Attackers shifted focus to backend databases via hits on web apps as that's new low-hanging fruit (read: shit security) with huge rewards (eg million records at once) for success. So, it's not that it's gone away so much as not as popular while low-hanging fruit exists for their purposes. Organized crime, esp targeting online banking, plus nation-states continue to find, sell, and use 0-days for malware. It's still a thing except stealthier and more targeted.

"Aren't these more easily exploitable in practice than say a stack overflow somewhere in my programs (not a rhetoric question)?"

Oh yeah. Skilled hackers look for all of that. They'll look for that kind of stuff first since it saves time.

"The morale is an ignorant user can easily be exploited even on OpenBSD"

No argument from me there.

"while a security-savvy user can secure himself even on an insecure OS"

That's been disproven by too many pentests. You can cover lots of known risks but then get hit by something inherent in poor foundation you built on. I liken it to building your castle on foundation of quicksand. Security properties work layer by layer, piece by piece, from bottom up plus interactions with other systems via protocols. I might be able to secure DOS apps but DOS's intrinsic properties might eventually do me in. See what I'm talking about?

[gkya]

I do see what you're saying and I agree completely. But maybe I'm bad at telling my point: How can a secure OS help keep me from putting my credentials into a phishing webpage? How can it prevent me from setting my Facebook/Gmail password as riley89angel? How can it keep me from writing my passwords into plain text files? This is why I think user education is at least as important as a secure stack, and should be considered by the states worldwide as a lesson in the public schools, ASAP. Our lives are going completely online, and most the people don't know what to do and what might happen.

[nickpsecurity]

I already agreed with you on that. It was malware and secure-on-insecure-OS points I was countering.

I'll add that user education has mostly failed. The recent consensus in INFOSEC is we need to design solutions where it's hard to do it insecurely and still easy to use. Signal messaging app is a great example of that. Another is Combex's PowerBox scheme for permissions on files where file dialog transparently grants a single file's access to app when user uses it. OS or runtimr protects its security. But, what user is giving to what application is clear even without technical knowledge.

So, education plus better design like I described is next steps.

[woodman]

> ...because of their use of insecure third party services...

The OS is partially to blame for that. I've got all my external services separately jailed in FreeBSD, with firewalls tuned to each service. Unless they come packing a 0day jailbreak exploit - a compromised service will spread no further, the web server isn't going to be SSHing into the kerberos server. Having your DB dumped sucks, but the really embarrassing compromises (HackingTeam, AshleyMadison, HBGary, etc) involved establishing a beachhead on a vulnerable service and then pushing in further.

You can manually set these thing up in any OS, but the easier an OS makes it to be secure - the more likely it is that the machine will be secure.